Data access and sharing data across teams or third parties are a very common phenomenon. Sharing sensitive data is a strict no. However, why even share data which is irrelevant for the data consumer. Suppose a MongoDB collection contain sensitive information. To restrict the access to collection, MongoDB offers Role-Based Access Control (RBAC).
However, there may be instances where you want to share your collection with a broader audience without exposing sensitive data or irrelevant information. For example, sharing collections with the marketing team for analytics purposes without divulging personally identifiable information (PII) or confidential data like credit card number etc. In this blog post, we will explore how to achieve this using MongoDB views in conjunction with MongoDB RBAC.
To follow along, you’ll need either of the following:
- A MongoDB cluster with authentication enabled.
Assuming you already have an admin user on your cluster with full privileges or at least a user with permissions to create views, custom roles, and users.
Let us create a MongoDB Collection say ‘Person’ with some sample data as below:
With MongoDB RBAC, we can restrict data access to ‘Persons’ collection. However, what if we want to share this data with the customer retention team so that they can contact the persons whose credit card is going to expire soon and send reminders about renewal. For this use case, age and sex seems irrelevant and credit card number is a sensitive data and should not be shared. The retention team only needs to know about basic information like name, date of expiry and contact details.
As disscussed above, we want to share ‘Persons’ collection with a wider audience with selective information only. We can create a view that only includes selected fields. Here’s an example of creating a view named “reminder_view” using the
To verify that the view works correctly, you can execute the following command:
The result will show the documents with the selected fields only, excluding the sensitive and irrelevant ones.
Managing Data Access with MongoDB RBAC
In order to enable restricted access rights for our view in MongoDB, it is necessary to create a custom role. Create the
"view_access" role with the necessary privileges to access the
Next, we can create a user with the created role:
Now we can share the credentials of
view_user with the customer retention team, who are effectively viewing the persons data only but only which are relevant and hiding any sensitive information.
In this blog post, you learned how to share your MongoDB collections to a wider audience — even the most critical ones — without exposing sensitive data.
✨ Thank you for reading and I hope you find it helpful. I sincerely request for your feedback in the comment’s section.